b'Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n\n     Information Technology Management Letter for the \n\n        United States Coast Guard Component of the \n\n               FY 2009 DHS Integrated Audit \n\n\n\n\n\nOIG-10-77                                         April 2010\n\x0c                                                            Office of Inspector General\n\n                                                            U.S. Department of Homeland Security\n                                                            Washington, DC 25028\n\n\n\n\n                                       April 9, 2010\n\n                                          Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was established\nby the Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector\nGeneral Act of 1978. This is one of a series of audit, inspection, and special reports prepared as\npart of our oversight responsibilities to promote economy, efficiency, and effectiveness within\nthe department.\n\nThis report presents the information technology (IT) management letter for the United States\nCoast Guard component of the FY 2009 DHS Integrated audit as of September 30, 2009. It\ncontains observations and recommendations related to information technology internal control\nthat were not required to be reported in the Independent Auditors\xe2\x80\x99 Report, dated November 13,\n2009 and represents the separate restricted distribution report mentioned in that report. The\nindependent accounting firm KPMG LLP (KPMG) performed the audit of Coast Guard\xe2\x80\x99s FY\n2009 financial statements as part of the DHS Integrated Audit and prepared this IT management\nletter. KPMG is responsible for the attached IT management letter dated January 21, 2010, and\nthe conclusions expressed in it. We do not express opinions on DHS\xe2\x80\x99 financial statements or\ninternal control or conclusion on compliance with laws and regulations.\n\nThe recommendations herein have been developed to the best knowledge available to our office,\nand have been discussed in draft with those responsible for implementation. We trust this report\nwill result in more effective, efficient, and economical operations. We express our appreciation\nto all of those who contributed to the preparation of this report.\n\n\n\n\n                                     Frank Deffer\n                                     Assistant Inspector General for\n                                     Information Technology Audits\n\x0c                                 KPMG LLP\n                                 2001 M Street, NW\n                                 Washington, DC 20036\n\n\n\n\nJanuary 21, 2010\n\nInspector General\nU.S. Department of Homeland Security\nChief Information Officer\nU.S. Coast Guard\nChief Financial Officer\nU.S. Coast Guard\n\nGentlemen:\n\n\nWe were engaged to audit the balance sheet of the U.S. Department of Homeland Security (DHS or\nDepartment) as of September 30, 2009, and the related statement of custodial activity for the year then\nended (referred to herein as \xe2\x80\x9cfinancial statements\xe2\x80\x9d). We were also engaged to examine the Department\xe2\x80\x99s\ninternal control over financial reporting (ICOFR) of the balance sheet as of September 30, 2009, and\nstatement of custodial activity for the year then ended. We were not engaged to audit the statements of\nnet cost, changes in net position, and budgetary resources, for the year ended September 30, 2009\n(referred to herein as \xe2\x80\x9cother fiscal year [FY] 2009 financial statements\xe2\x80\x9d), or to examine ICOFR over the\nother FY 2009 financial statements. Because of matters discussed in our Independent Auditors\xe2\x80\x99 Report,\ndated November 13, 2009, the scope of our work was not sufficient to enable us to express, and we did\nnot express, an opinion on the financial statements. In addition, we were unable to perform procedures\nnecessary to form an opinion on DHS\xe2\x80\x99 ICOFR of the FY 2009 balance sheet and statement of custodial\nactivity.\n\nIn connection with our FY 2009 engagement, we examined the United States Coast Guard\xe2\x80\x99s (Coast\nGuard) internal control over financial reporting by obtaining an understanding of Coast Guard\xe2\x80\x99s internal\ncontrol, determining whether internal controls had been placed in operation, assessing control risk, and\nperforming tests of controls. As noted above, the scope of our work was not sufficient to enable us to\nexpress, and we did not express, an opinion on the effectiveness of ICOFR. Further, other matters\ninvolving ICOFR may have been identified and reported had we been able to perform all procedures\nnecessary to express an opinion on the DHS balance sheet as of September 30, 2009, and the related\nstatement of custodial activity for the year then ended, and had we been engaged to audit the other FY\n2009 financial statements.\n\nA control deficiency exists when the design or operation of a control does not allow management or\nemployees, in the normal course of performing their assigned functions, to prevent or detect and correct\nmisstatements on a timely basis. A significant deficiency is a deficiency, or a combination of\ndeficiencies, in internal control over financial reporting that is less severe than a material weakness, yet\nimportant enough to merit attention by those charged with governance. A material weakness is a\ndeficiency, or a combination of deficiencies, in internal control over financial reporting, such that there\nis a reasonable possibility that a material misstatement of the entity\xe2\x80\x99s financial statements will not be\nprevented, or detected and corrected on a timely basis.\n\n\n\n\n                                    KPMG LLP, a U.S. limited liability partnership, is the U.S.\n                                    member firm of KPMG International, a Swiss cooperative.\n\x0cDuring our audit engagement, we noted certain matters in the areas of configuration management with\nrespect to Coast Guard\xe2\x80\x99s financial systems information technology (IT) general controls which we believe\ncontribute to a DHS-level significant deficiency that is considered a material weakness in IT controls and\nfinancial system functionality. These matters are described in the IT General Control and Financial\nSystem Functionality Findings by Audit Area section of this letter.\nThe material weakness described above is presented in our Independent Auditors\xe2\x80\x99 Report dated\nNovember 13, 2009. This letter represents the separate restricted distribution report mentioned in that\nreport.\nAlthough not considered to be a material weakness, we also noted certain other items during our audit\nengagement which we would like to bring to your attention. These matters are also described in the IT\nGeneral Control and Financial System Functionality Findings by Audit Area section of this letter.\nThe material weakness and other comments described herein have been discussed with the appropriate\nmembers of management, or communicated through a Notice of Finding and Recommendation (NFR).\nWe aim to use our knowledge of DHS\xe2\x80\x99 organization gained during our audit engagement to make\ncomments and suggestions that we hope will be useful to you. We have not considered internal control\nsince the date of our Independent Auditors\xe2\x80\x99 Report.\nThe Table of Contents on the next page identifies each section of the letter. In addition, we have provided\nthe following: a description of key Coast Guard financial systems and IT infrastructure within the scope\nof the FY 2009 DHS financial statement audit engagement in Appendix A; a description of each internal\ncontrol deficiency in Appendix B; the current status of the prior year Notice of Finding and\nRecommendations (NFR) in Appendix C; and Coast Guard management\xe2\x80\x99s written response in Appendix\nD. Our comments related to financial management and reporting internal controls have been presented in\na separate letter to the Office of Inspector General and the DHS Acting Chief Financial Officer dated\nDecember 9, 2009.\n\nThis report is intended solely for the information and use of DHS management, DHS Office of Inspector\nGeneral, the Office of Management and Budget, U.S. Government Accountability Office, and the U.S.\nCongress, and is not intended to be and should not be used by anyone other than these specified parties.\n\nVery truly yours,\n\x0c                               Department of Homeland Security\n\n                                  United States Coast Guard \n\n                           Information Technology Management Letter\n                                      September 30, 2009\n\n            INFORMATION TECHNOLOGY MANAGEMENT LETTER \n\n                                     TABLE OF CONTENTS \n\n                                                                                                  Page\n\nObjective, Scope and Approach                                                                      1\n\n\nSummary of Findings and Recommendations                                                            2\n\n\nIT General Control and Financial System Functionality Findings by Audit Area                       3\n\n\n Findings Contributing to a Material Weakness in IT at the Departmental Level                      3\n\n\n   Related to IT Financial Systems Controls                                                        3\n\n\n      Configuration Management                                                                     3\n\n\n   Related to Financial System Functionality                                                       4\n\n\n   Other Findings in IT General Control                                                            5\n\n\n      Access Controls                                                                              5\n\n\n      Security Management                                                                          5\n\n\n   After-Hours Physical Security Testing                                                           6\n\n\n   Social Engineering Testing                                                                      7\n\n\nApplication Controls                                                                               9\n\n\nManagement\xe2\x80\x99s Comments and OIG Response                                                             9\n\n\n                                           APPENDICES \n\n\n   Appendix                                           Subject                                     Page\n\n                       Description of Key Coast Guard Financial Systems and IT Infrastructure \n\n        A              within the Scope of the FY 2009 DHS Financial Statement Audit               10\n\n                       Engagement \n\n\n        B              FY 2009 Notices of IT Findings and Recommendations at Coast Guard           12\n\n\n                           -   Notice of Findings and Recommendations \xe2\x80\x93 Definition of \n\n                               Severity Ratings\n                                                                                                  13\n\n                       Status of Prior Year Notices of Findings and Recommendations and \n\n        C              Comparison to Current Year Notices of Findings and Recommendations          24\n\n                       at Coast Guard\n\n\x0c            Department of Homeland Security\n               United States Coast Guard\n        Information Technology Management Letter\n                   September 30, 2009\n\nD   Management\xe2\x80\x99s Comments                          30\n\nE   Report Distribution                            32\n\x0c                                 Department of Homeland Security\n \n\n                                    United States Coast Guard \n\n                             Information Technology Management Letter\n                                        September 30, 2009\n\n\n                        OBJECTIVE, SCOPE AND APPROACH\n\nDuring our engagement to perform an integrated audit of Department of Homeland Security (DHS), we\nevaluated the effectiveness of the IT General Controls of DHS\xe2\x80\x99 financial processing environment and\nrelated IT infrastructure as necessary to support the engagement. The Federal Information System\nControls Audit Manual (FISCAM), issued by the Government Accountability Office (GAO), formed the\nbasis of our audit as it relates to IT general control assessment at Coast Guard. The scope of the Coast\nGuard IT general controls assessment is described in Appendix A.\n\nFISCAM was designed to inform financial auditors about IT controls and related audit concerns to assist\nthem in planning their audit work and to integrate the work of auditors with other aspects of the financial\nstatement audit. FISCAM also provides guidance to IT auditors when considering the scope and extent of\nreview that generally should be performed when evaluating general controls and the IT environment of a\nfederal agency. FISCAM defines the following six control functions to be essential to the effective\noperation of the general IT controls environment.\n\n\xef\xbf\xbd\t Security Management (SM) \xe2\x80\x93 Controls that provide a framework and continuing cycle of activity for\n   managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy\n   of computer-related security controls.\n\xef\xbf\xbd\t Access control (AC) \xe2\x80\x93 Controls that limit and/or monitor access to computer resources (data,\n   programs, equipment, and facilities) to protect against unauthorized modification, loss, and disclosure.\n\xef\xbf\xbd\t Configuration Management (CM) \xe2\x80\x93 Controls that help to prevent the implementation of unauthorized\n   programs or modifications to existing programs.\n\xef\xbf\xbd\t Segregation of duties (SD) \xe2\x80\x93 Controls that constitute policies, procedures, and an organizational\n   structure to prevent one individual from controlling key aspects of computer-related operations, thus\n   deterring unauthorized actions or access to assets or records.\n\xef\xbf\xbd\t Contingency Planning (CP) \xe2\x80\x93 Controls that involve procedures for continuing critical operations\n   without interruption, or with prompt resumption, when unexpected events occur.\n\nTo complement our general IT controls audit, we also performed technical security testing for key\nnetwork and system devices. The technical security testing was performed from within a select Coast\nGuard facility, and focused on test, development, and production devices that directly support Coast\nGuard\xe2\x80\x99s financial processing and key general support systems.\n\nApplication controls were not tested for the year ending September 30, 2009 due to the nature of prior-\nyear audit findings.\n\n\n\n\n                                                     1\n\n    Information Technology Management Letter for the United States Coast Guard Component\n                            of the FY 2009 DHS Integrated Audit\n\x0c                                 Department of Homeland Security\n \n\n                                    United States Coast Guard \n\n                             Information Technology Management Letter\n                                        September 30, 2009\n\n             SUMMARY OF FINDINGS AND RECOMMENDATIONS\nDuring fiscal year (FY) 2009, Coast Guard took corrective action to address nearly half of the prior year\nIT control weaknesses. For example, Coast Guard made improvements by updating the Coast Guard\nFinance Center (FINCEN) Continuity of Operations (COOP) Plan, strengthening account management\ncontrols over the Shore Asset Management (SAM) system, and completed the Certification and\nAccreditation (C&A) package for their core financial systems. However, during FY 2009, we continued\nto identify IT general control weaknesses at Coast Guard. The most significant weaknesses from a\nfinancial statement audit perspective are related to the controls over authorization, development,\nimplementation, and tracking of IT scripts at FINCEN. These IT control deficiencies limited Coast\nGuard\xe2\x80\x99s ability to ensure that critical financial and operational data were maintained in such a manner to\nensure confidentiality, integrity, and availability. In addition, these deficiencies negatively impacted the\ninternal controls over Coast Guard financial reporting and its operation and we consider them to\ncontribute to a material weakness at the Department level under standards established by the American\nInstitute of Certified Public Accountants (AICPA). In addition, based upon the results of our test work\nwe noted that the Coast Guard did not fully comply with the Departments requirements of Federal\nFinancial Management Improvement Act (FFMIA).\nOf the 20 findings identified during our FY 2009 testing, 11 were repeat findings, either partially or in\nwhole from the prior year, and 9 were new IT findings. These findings represent deficiencies in three of\nthe five FISCAM key control areas. The FISCAM areas impacted included Security Management,\nAccess Control, and Configuration Management. We also considered the effects of financial systems\nfunctionality when testing internal controls since key Coast Guard financial systems are not compliant\nwith FFMIA and are no longer supported by the original software provider. Financial system\nfunctionality limitations add to the challenge of addressing systemic internal control weaknesses, and\nstrengthening the control environment at the Coast Guard.\nThe majority of the findings indicate a lack of properly designed, detailed, and consistent guidance over\nfinancial system controls to enforce DHS Sensitive System Policy Directive 4300A requirements and\nNational Institute of Standards and Technology (NIST) guidance. Specifically, the findings stem from 1)\ninadequately designed and operating IT script change control policies and procedures, 2) unverified\naccess controls through the lack of user access privilege re-certifications, 3) entity-wide security program\nissues involving civilian and contractor background investigation weaknesses, 4) inadequately designed\nand operating audit log review policies and procedures, 5) physical security and security awareness, and\n6) role-based training for individuals with elevated responsibilities. These deficiencies may increase the\nrisk that the confidentiality, integrity, and availability of system controls and Coast Guard financial data\ncould be exploited thereby compromising the integrity of financial data used by management and reported\nin the DHS consolidated financial statements.\nWhile the recommendations made by us should be considered by Coast Guard, it is the ultimate\nresponsibility of Coast Guard management to determine the most appropriate method(s) for addressing\nthe weaknesses identified based on their system capabilities and available resources.\n\n\n\n\n                                                      2\n\n    Information Technology Management Letter for the United States Coast Guard Component\n                            of the FY 2009 DHS Integrated Audit\n\x0c                                  Department of Homeland Security\n \n\n                                     United States Coast Guard \n\n                              Information Technology Management Letter\n                                         September 30, 2009\n\n\n              IT GENERAL CONTROLS AND FINANCIAL SYSTEM \n\n                 FUNCTIONALITY FINDINGS BY AUDIT AREA \n\nFindings Contributing to a Material Weakness in IT at the Department Level\n\nConditions: In FY 2009, the following IT general control and financial system functionality deficiencies\nwere identified at the Coast Guard and contribute to a DHS-level significant deficiency that is considered\na material weakness in IT general and application controls. Our findings are divided into two groupings:\n1) financial systems controls and 2) IT system functionality.\nRelated to IT Financial Systems Controls\nConfiguration Management \xe2\x80\x93 we noted:\nCoast Guard\xe2\x80\x99s core financial system configuration management process controls are not operating\neffectively, and continue to present risks to DHS financial data confidentiality, integrity, and availability.\nFinancial data in the general ledger may be compromised by automated and manual changes that are not\nadequately controlled. For example, the Coast Guard uses an IT scripting process to make updates to its\ncore general ledger software as necessary to process financial data. However, the Coast Guard has not\nfully developed testing standards to guide staff in the development and functional testing of IT scripts,\ndocumented policies and procedures over testing plans that must be performed, and improve processes to\nensure that all necessary approvals are obtained prior to implementation. Specifically, we noted the\nfollowing weaknesses associated with the IT script control process:\n    \xef\xbf\xbd\t Coast Guard lacks a formal process to distinguish between the module lead approvers for script\n       approval requests.\n    \xef\xbf\xbd\t FINCEN analysts may run scripts without seeking approval from the Functional Supervisors for\n       approved recurring scripts.\n    \xef\xbf\xbd\t Testing requirements are inconsistently followed for the testing of the recurring approval scripts\n       and retaining evidence of testing.\n    \xef\xbf\xbd\t Reconciliation between the scripts run and the changes made to the database tables is not being\n       performed to monitor the script activities using this report as it is too difficult to accurately and\n       effectively reconcile the scripts to the audit log table changes.\n    \xef\xbf\xbd\t The Script Tracking System does not consistently include all testing, approval, and \n\n       implementation documentation for all scripts. \n\n    \xef\xbf\xbd\t Variations in the way the PRP Approval Forms are populated and completed exist for fields such\n       as financial impact, test strategy and baseline determinations.\n    \xef\xbf\xbd\t Proper approval is not consistently obtained and documented prior to the running of each script.\n\n\n\n\n                                                       3\n\n    Information Technology Management Letter for the United States Coast Guard Component\n                            of the FY 2009 DHS Integrated Audit\n\x0c                                 Department of Homeland Security\n \n\n                                    United States Coast Guard \n\n                             Information Technology Management Letter\n                                        September 30, 2009\n\n\nRelated to Financial System Functionality:\nWe noted that financial system functionality limitations are contributing to control deficiencies and\ninhibiting progress on corrective actions for Coast Guard. These functionality limitations are preventing\nthe Coast Guard from improving the efficiency and reliability of its financial reporting processes. Some of\nthe financial system limitations lead to extensive manual and redundant procedures to process\ntransactions, verify accuracy of data, and to prepare financial statements. Systemic conditions related to\nfinancial system functionality include:\n1.\t As noted above, Coast Guard\xe2\x80\x99s core financial system configuration management process is not\n    operating effectively due to inadequate controls over IT scripts. The IT script process was instituted\n    as a solution primarily to compensate for system functionality and data quality issues;\n2.\t Annual financial system account recertifications are not being performed due to limitations in the\n    systems;\n3.\t Financial system audit logs are not readily generated and reviewed as some of the financial systems\n    are lacking this capability;\n4.\t Aspects of DHS-required system password requirements are not implemented because some financial\n    systems cannot support the policy;\n5.\t Production versions of operational financial systems are outdated, no longer supported by the vendor,\n    and do not provide the necessary core functional capabilities (e.g., general ledger capabilities);\n6.\t Financial systems functionality limitations are preventing the Coast Guard from establishing\n    automated processes and application controls that would improve accuracy, reliability and facilitate\n    efficient processing of certain financial data such as:\n   \xef\xbf\xbd\t Tracking of costs to support weighted average pricing for operating materials and supplies;\n   \xef\xbf\xbd\t Maintaining data needed to support the calculation of accounting payable and provide detailed\n      listings of accounts payable, which may reduce the resources spent by Coast Guard personnel in\n      manually preparing the accounts payable accrual;\n   \xef\xbf\xbd\t Ensuring proper segregation of duties such as automating the procurement process to ensure that\n      only individuals who have proper contract authority can approve transactions;\n   \xef\xbf\xbd\t Tracking detail transactions associated with intragovernmental business and eliminating the need\n      for default codes such as Trading Partner Identification Number that cannot be easily researched;\n      and\n   \xef\xbf\xbd\t Ensuring that undelivered obligations are properly accounted for upon receipt of goods or \n\n      services.\n\nRecommendations: Coast Guard should continue to make improvements to implement and better\ndocument an integrated script configuration management process that includes enforced responsibilities\nof all participants in the process, and the continued development of documentation requirements. In\naddition, Coast Guard should address the IT system aspects associated with the financial system\n\n\n\n                                                     4\n\n    Information Technology Management Letter for the United States Coast Guard Component\n                            of the FY 2009 DHS Integrated Audit\n\x0c                                 Department of Homeland Security\n \n\n                                    United States Coast Guard \n\n                             Information Technology Management Letter\n                                        September 30, 2009\n\nfunctionality issues listed in No. 1 through No. 6 above, or develop compensating/mitigating controls in\norder to eliminate or reduce the associated risk.\n\nSpecifically, for the IT script control process, we recommend that the Coast Guard should:\n\n    \xef\xbf\xbd\t Continue to design, document, implement, and enforce the effectiveness of internal controls\n       associated with the active (current and future) scripts;\n\n    With respect to procedures already in place, Coast Guard should:\n\n    \xef\xbf\xbd\t Update / develop procedures and implement technical controls in the Core Accounting System\n       (CAS) and Financial Procurement Desktop (FPD) databases to ensure that the appropriate\n       monitoring and review of script activities is performed and documented;\n\n    \xef\xbf\xbd\t Continue to update script policies and procedures to include clear requirements and more detailed\n       guidance over requesting recurring scripts, testing and documentation requirements,\n       monitoring/audit log reviews, and blanket approval requirements. Additionally, ensure that the\n       policies and procedures include detailed guidance over the requirements for the testing of scripts\n       and associated test plans to ensure that the appropriate financial impact of the script is evaluated,\n       reviewed by the appropriate personnel, tested in an appropriate test environment prior to being\n       put into production, and documented prior to execution; and,\n\n    \xef\xbf\xbd\t Further develop and implement policies and procedures governing the script change control\n       process to ensure that all script records are accurate and complete.\n\nOther Findings in IT General Controls\nAlthough not contributing to a department-level material weakness, we also noted the following other\nmatters related to financial system IT control deficiencies during the FY09 DHS IT Audit:\n1.\t Access Controls \xe2\x80\x93 we noted:\n    \xef\xbf\xbd\t Procedures surrounding the use of monitoring reports over contracted personnel data have not\n       been formally documented.\n    \xef\xbf\xbd\t Procedures over the process of finalizing and implementing entity-wide processes for account\n       terminations and related notifications are still in draft and have not been implemented or\n       communicated.\n    \xef\xbf\xbd\t Audit log reviews for key financial systems are not conducted at a sufficient frequency.\n    \xef\xbf\xbd\t Access review procedures for key financial applications do not include the review of all user\n       accounts to ensure that all terminated individuals no longer have active accounts, that inactive\n       accounts are locked, and that privileges associated with each individual are still authorized and\n       necessary.\n2.\t Security Management \xe2\x80\x93 we noted:\n\n\n                                                     5\n\n    Information Technology Management Letter for the United States Coast Guard Component\n                            of the FY 2009 DHS Integrated Audit\n\x0c                                 Department of Homeland Security\n \n\n                                    United States Coast Guard \n\n                             Information Technology Management Letter\n                                        September 30, 2009\n\n    \xef\xbf\xbd\t Background investigations for all civilian employees have not been completed and Coast Guard\xe2\x80\x99s\n       civilian position sensitivity designation process is not in compliance with DHS guidance.\n    \xef\xbf\xbd\t Coast Guard procedures do not include specific guidance for the program managers on how to set\n       the correct and consistent risk levels and position sensitivity designations for contract employees.\n    \xef\xbf\xbd\t During our after-hours physical security and social engineering testing we identified exceptions in\n       the protection of sensitive user account information. The table below details the exceptions\n       identified at the various locations tested.\n\nAfter-Hours Physical Security Testing\n\nWe performed after-hours physical security testing to identify risks related to non-technical aspects of IT\nsecurity. These non-technical IT security aspects include physical access to media and equipment that\nhouses financial data and information residing on a Coast Guard employee\xe2\x80\x99s / contractor\xe2\x80\x99s desk, which\ncould be used by others to gain unauthorized access to systems housing financial information. The testing\nwas performed at various Coast Guard locations that process and / or maintain financial data.\n\n                  Security Weaknesses Observed During After Hours Physical Security Testing\n                                              Coast Guard Locations Tested\n                              Coast Guard Coast Guard Coast Guard             Coast Guard\n                               HQ \xe2\x80\x93 Jemal     HQ \xe2\x80\x93 Jemal        HQ \xe2\x80\x93         Finance Center       Total\n                                 (CG-6)       (DCMS-8x)      Transpoint         (FINCEN)        Exceptions\n      Exceptions Noted                                         (CG-8)                            by Type\nPasswords                           2              2              1                 6               11\nFor Official Use Only\n(FOUO) Documents\nKeys/Badges\nPersonally Identifiable\nInformation (PII)\nServer Names/IP Addresses\nUnsecured Laptops                                  2                                                 2\nUnsecured External Drives\nCredit Cards                                       2                                                 2\nCommon Access Cards                 1                                               3                4\n(CAC)\nCommon Access Card PIN\nClassified Documents\nOther \xe2\x80\x93US Government\nofficial passport\nTotal Exceptions by                 3              6              1                 9               19\nLocation\nSource: Coast Guard management, OIG and KPMG direct observation and inspection of work areas.\n\n\nNote that approximately 20-25 desks / offices were examined for each one of the columns in the above\ntable.\n\n\n                                                     6\n\n    Information Technology Management Letter for the United States Coast Guard Component\n                            of the FY 2009 DHS Integrated Audit\n\x0c                                 Department of Homeland Security\n \n\n                                    United States Coast Guard \n\n                             Information Technology Management Letter\n                                        September 30, 2009\n\n\nSocial Engineering Testing\n\nSocial engineering is defined as the act of attempting to manipulate or deceive individuals into taking\naction that is inconsistent with DHS policies, such as divulging sensitive information or allowing /\nenabling computer system access. The term typically applies to deception for the purpose of information\ngathering, or gaining computer system access, as shown in the following table.\n\n\nLocation                 Total           Total              Number of people who provided a\n                         Called          Answered           password\nCoast Guard HQ           20              8                  0 Passwords\nCoast Guard              18              6                  1 Password\nFINCEN*\n\n* Although the password was provided, shortly after the violation, the user became aware of his / her\ninfraction, and changed his / her password. Additionally, the user then notified the FINCEN Information\nAssurance Support (IAS) group of the social engineering activity. Our full sample of 30 personnel could\nnot be completed due to the intervention from the Coast Guard FINCEN Information Assurance Support\n(IAS) group.\nRecommendations: We recommend that the Coast Guard Chief Information Officer and Chief Financial\nOfficer, in coordination with the DHS Office of Chief Financial Officer and the DHS Office of the Chief\nInformation Officer, make the following improvements to Coast Guard\xe2\x80\x99s financial management systems\nand associated information technology security program.\nFor access controls:\n    \xef\xbf\xbd\t Develop procedures for the periodic review of the manual audit logs. In addition, ensure audit\n       log files are configured, retained, and archived in compliance with DHS policy;\n    \xef\xbf\xbd\t Develop and finalize specific procedures over the review of the CVS reports and reconciliation of\n       contractor accounts to ensure that contractor data within the system remains current and accurate;\n    \xef\xbf\xbd\t Develop and document an enterprise-wide process that will notify all impacted system owners of\n       terminated, transferred, or retired contractor, military, and civilian personnel;\n    \xef\xbf\xbd\t Review audit logs containing unusual activity and unexplained access attempts on at least a\n       monthly basis;\n    \xef\xbf\xbd\t Modify procedures to require an annual review of one hundred percent (100%) of user accounts\n       for the key financial systems and their associated privileges that are greater than read-only to\n       ensure access is still required.\nFor security management:\n    \xef\xbf\xbd\t Update the policies and procedures currently in place to include clear guidance for Program\n       Managers and Contracting Officers to assign contractor risk level(s) and position sensitivity\n       designation requirements in order to verify that all contracts issued by the Coast Guard include\n       the appropriate investigation level requirements;\n\n                                                    7\n\n    Information Technology Management Letter for the United States Coast Guard Component\n                            of the FY 2009 DHS Integrated Audit\n\x0c                                 Department of Homeland Security\n \n\n                                    United States Coast Guard \n\n                             Information Technology Management Letter\n                                        September 30, 2009\n\n    \xef\xbf\xbd\t Perform initial background investigations and re-investigations for civilian employees in \n\n       accordance with DHS directives; \n\n    \xef\xbf\xbd\t Review its policies and procedures regarding Protection of Sensitive Information and update\n       where required in order to address DHS and other Federal requirements, with emphasis being\n       placed on the potential impacts of not consistently and adequately protecting this sensitive\n       information;\n    \xef\xbf\xbd\t Review, and update as required, its security awareness / training content to address the updated\n       Protection of Sensitive Information policies and procedures; and\n    \xef\xbf\xbd\t Validate the effectiveness of the updated policies and procedures and associated training through\n       mechanisms such as scheduled and unscheduled desk / floor reviews, awareness training testing,\n       etc. and take appropriate corrective action to address any issues identified during this validation.\n\nCause/Effect: The IT system development activities did not incorporate adequate security controls\nduring the initial implementation more than six years ago. The current IT configurations of many Coast\nGuard financial systems cannot be easily reconfigured to meet new DHS security requirements. The\nexistence of these IT weaknesses leads to added dependency on the other mitigating manual controls to\nbe operating effectively at all times. Because mitigating controls often require more human\ninvolvement, there is an increased risk that human error could materially affect the financial statements.\nIn addition, the Coast Guard\xe2\x80\x99s core financial systems are not FFMIA compliant with the Federal\nGovernment\xe2\x80\x99s Financial System Integration Office (FSIO) requirements.\nReasonable assurance should be provided that financial system user access levels are limited and\nmonitored for appropriateness and that all user accounts belong to current employees. The weaknesses\nidentified within Coast Guard\xe2\x80\x99s access controls increase the risk that employees and contractors may have\naccess to a system that is outside the realm of their job responsibilities or that a separated individual, or\nanother person with knowledge of an active account of a terminated employee, could use the account to\nalter the data contained within the application or database. This may also increase the risk that the\nconfidentiality, integrity, and availability of system controls and the financial data could be exploited\nthereby compromising the integrity of financial data used by management and reported in the DHS\nfinancial statements.\nFurthermore, the lack of documented security configuration management controls may result in security\nresponsibilities communicated to system developers improperly as well as the improper implementation\nand monitoring of system changes. This also increases the risk of unsubstantiated changes as well as\nchanges that may introduce errors or data integrity issues that are not easily traceable back to the changes.\nIn addition, it increases the risk of undocumented and unauthorized changes to critical or sensitive\ninformation and systems. This may reduce the reliability of information produced by these systems.\nCriteria: The Federal Information Security Management Act (FISMA) passed as part of the Electronic\nGovernment Act of 2002, mandates that Federal entities maintain IT security programs in accordance with\nOMB and NIST guidance. OMB Circular No. A-130, Management of Federal Information Resources,\nand various NIST guidelines describe specific essential criteria for maintaining effective general IT\ncontrols. In addition, OMB Circular No. A-127 prescribes policies and standards for executive\ndepartments and agencies to follow in developing, operating, evaluating, and reporting on financial\nmanagement systems. FFMIA sets forth legislation prescribing policies and standards for executive\ndepartments and agencies to follow in developing, operating, evaluating, and reporting on financial\n\n                                                      8\n\n    Information Technology Management Letter for the United States Coast Guard Component\n                            of the FY 2009 DHS Integrated Audit\n\x0c                                 Department of Homeland Security\n \n\n                                    United States Coast Guard \n\n                             Information Technology Management Letter\n                                        September 30, 2009\n\nmanagement systems. The purpose of FFMIA is: (1) to provide for consistency of accounting by an\nagency from one fiscal year to the next, and uniform accounting standards throughout the Federal\nGovernment; (2) require Federal financial management systems to support full disclosure of Federal\nfinancial data, including the full costs of Federal programs and activities; (3) increase the accountability\nand credibility of federal financial management; (4) improve performance, productivity and efficiency of\nFederal Government financial management; and (5) establish financial management systems to support\ncontrolling the cost of Federal Government. In closing, for this year\xe2\x80\x99s IT audit we assessed the DHS\ncomponent\xe2\x80\x99s compliance with DHS Sensitive System Policy Directive 4300A.\n\n\n\n                                 APPLICATION CONTROLS\n\n\nApplication controls were not tested for the year ending September 30, 2009 due to the nature of the\nprior-year audit findings.\n\n\n\n               MANAGEMENT COMMENTS AND OIG RESPONSE\n\nWe obtained written comments on a draft of this report from the Coast Guard CIO. Generally, the Coast\nGuard agreed with all of our findings and recommendations. The Coast Guard has developed a\nremediation plan to address these findings and recommendations. We have included a copy of the\ncomments in Appendix D.\n\nOIG Response\nWe agree with the steps that Coast Guard management is taking to satisfy these recommendations.\n\n\n\n\n                                                      9\n\n    Information Technology Management Letter for the United States Coast Guard Component\n                            of the FY 2009 DHS Integrated Audit\n\x0c                                                                              Appendix A\n\n                         Department of Homeland Security\n \n\n                            United States Coast Guard\n \n\n                     Information Technology Management Letter\n                                September 30, 2009\n\n\n\n\n                                  Appendix A \n\n\n  Description of Key Coast Guard Financial Systems and IT \n\nInfrastructure within the Scope of the FY 2009 DHS Financial \n\n                Statement Audit Engagement \n\n\n\n\n\n                                         10\n\nInformation Technology Management Letter for the United States Coast Guard Component\n                        of the FY 2009 DHS Integrated Audit\n\x0c                                                                                             Appendix A\n\n                               Department of Homeland Security\n \n\n                                  United States Coast Guard\n \n\n                           Information Technology Management Letter\n                                      September 30, 2009\n\n\nBelow is a description of significant Coast Guard financial management systems and supporting Information\nTechnology (IT) infrastructure included in the scope of the engagement to perform the financial statement\naudit.\n\nLocations of Audit: Coast Guard Headquarters in Washington, DC; the Coast Guard Finance Center\n(FINCEN) in Chesapeake, Virginia; the Operations Supply Center (OSC) in Martinsburg, West Virginia;\nand the Pay and Personnel Center (PPC) in Topeka, Kansas.\n\n\nKey Systems Subject to Audit:\n\xef\xbf\xbd\t Core Accounting System (CAS): Core accounting system that is the principal general ledger for\n   recording financial transactions for the Coast Guard. CAS is hosted at FINCEN, the Coast Guard\xe2\x80\x99s\n   primary data center. It is a customized version of Oracle Financials.\n\xef\xbf\xbd\t Financial Procurement Desktop (FPD): Used to create and post obligations to the core accounting\n   system. It allows users to enter funding, create purchase requests, issue procurement documents,\n   perform system administration responsibilities, and reconcile weekly program element status reports.\n   FPD is interconnected with the CAS system and is hosted at FINCEN.\n\xef\xbf\xbd\t Workflow Imaging Network System (WINS): Document image processing system, which is integrated\n   with an Oracle Developer/2000 relational database. WINS allows electronic data and scanned paper\n   documents to be imaged and processed for data verification, reconciliation and payment. WINS utilizes\n   MarkView software to scan documents and to view the images of scanned documents and to render\n   images of electronic data received. This system is hosted at FINCEN.\n\xef\xbf\xbd\t Checkfree: A commercial product used to reconcile payment information retrieved from the United\n   States Department of the Treasury. It reconciles transaction items that Treasury has processed to\n   transaction items Coast Guard has sent to Treasury. This system is hosted at FINCEN.\n\xef\xbf\xbd\t Joint Uniformed Military Pay System (JUMPS): Mainframe application, hosted at PSC, used for paying\n   Coast Guard active and reserve personnel payroll.\n\xef\xbf\xbd\t Shore Asset Management (SAM): Is hosted at the Coast Guard\xe2\x80\x99s Operation System Center (OSC), in\n   Martinsburg, WV. SAM provides core information about the Coast Guard shore facility assets and\n   facility engineering. The application tracks activities and assist in the management of the Civil\n   Engineering (CE) Program and the Facility Engineering (FE) Program.\n\n\n\n\n                                                  11\n\n   Information Technology Management Letter for the United States Coast Guard Component\n                           of the FY 2009 DHS Integrated Audit\n\x0c                                                                                 Appendix B\n\n                            Department of Homeland Security\n \n\n                               United States Coast Guard\n \n\n                        Information Technology Management Letter\n                                   September 30, 2009\n\n\n\n\n                                     Appendix B \n\n\nFY 2009 Notices of IT Findings and Recommendations at Coast Guard\n \n\n\n\n\n\n                                            12\n\n   Information Technology Management Letter for the United States Coast Guard Component\n                           of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                    Appendix B\n\n                                    Department of Homeland Security\n\n                                       United States Coast Guard\n\n                                Information Technology Management Letter\n                                           September 30, 2009\n\n\nNotice of Findings and Recommendations \xe2\x80\x93 Definition of Severity Ratings**:\n\nEach NFR listed in Appendix B is assigned a severity rating from 1 to 3 indicating the influence on the DHS\nConsolidated Independent Auditors Report.\n\n      1 \xe2\x80\x93 Not substantial\n\n      2 \xe2\x80\x93 Less significant \n\n      3 \xe2\x80\x93 More significant \n\n\nThe severity ratings indicate the degree to which the deficiency influenced the determination of severity for\nconsolidated reporting purposes.\n\nThese rating are provided only to assist the Coast Guard in the development of its corrective action plans for\nremediation of the deficiency.\n\n\n\n\n                                                        13\n\n       Information Technology Management Letter for the United States Coast Guard Component\n                               of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                       Appendix B\n\n                                                 Department of Homeland Security\n \n\n                                                    United States Coast Guard\n \n\n                                             Information Technology Management Letter\n                                                        September 30, 2009\n\n                                              Department of Homeland Security\n \n\n                                                  United States Coast Guard \n\n                                               FY2009 Information Technology \n\n                                   Notification of Findings and Recommendations \xe2\x80\x93 Detail \n\n\n                                                                                                                               New     Repeat   Severity\nNFR #                            Condition                                              Recommendation\n                                                                                                                               Issue    Issue    Rating\nCG-IT\xc2\xad   The current Coast Guard procedures do not include specific     Update the policies and procedures currently in                   X        2\n09-10    guidance for the Program Managers on how to set the            place to include clear guidance for Program\n         correct and consistent risk levels and position sensitivity    Managers and Contracting Officers to assign\n         designations that correspond to CLINs and labor categories.    contractor risk level(s) and position sensitivity\n         Therefore, there is insufficient guidance over the level of    designation requirements in order to verify that all\n         clearance required which may result in inconsistent risk       contracts issued by the Coast Guard include the\n         levels and position sensitivity designations.                  appropriate investigation level requirements.\nCG-IT\xc2\xad   The Role-Based Industry Standards for Coast Guard              \xef\xbf\xbd Update the Role-Based Industry Standards for                   X          1\n09-14    Information Assurance (IA) Professionals Commandant                Coast Guard IA Professionals Commandant\n         Instruction remains in draft form.                                 Instruction to include the procedures by which\n                                                                            Direct Access will be used to monitor and\n                                                                            verify that training has been completed by all\n                                                                            Coast Guard Government personnel with\n                                                                            significant information security\n                                                                            responsibilities. In addition, the instruction\n                                                                            should include the procedures by which Coast\n                                                                            Guard contractor compliance will be\n                                                                            monitored and verified.\n                                                                        \xef\xbf\xbd   Finalize, communicate, and implement the\n                                                                            Role-Based Industry Standards for Coast\n                                                                            Guard IA Professionals Commandant\n                                                                            Instruction.\n                                                                        \xef\xbf\xbd   Continue with efforts to implement Direct\n                                                                            Access as the centralized method for\n\n\n                                                                       14\n\n                 Information Technology Management Letter for the United States Coast Guard Component\n                                         of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                         Appendix B\n\n                                                  Department of Homeland Security\n \n\n                                                     United States Coast Guard\n \n\n                                              Information Technology Management Letter\n                                                         September 30, 2009\n\n                                                                                                                                 New     Repeat   Severity\nNFR #                             Condition                                              Recommendation\n                                                                                                                                 Issue    Issue    Rating\n                                                                             monitoring and verifying Coast Guard\n                                                                             personnel compliance with the specialized\n                                                                             role-based training requirements.\n\nCG-IT\xc2\xad   Although the Operation Systems Center (OSC) has begun           Develop and document comprehensive policies                       X          1\n09-23    reviewing Shore Asset Management (SAM) audit logs on a          and procedures over the SAM audit log review\n         regular basis, detailed policies and procedures have not        process. These policies and procedures should\n         been created over the process and sufficient evidence is not    establish the independence of the reviewer, the\n         maintained.                                                     audit logs under review, and the supporting\n                                                                         documentation requirements including results and\n                                                                         remediation efforts.\nCG-IT\xc2\xad   Procedures do not include an annual review of all               Modify procedures to require an annual review of                  X          1\n09-25    Workflow Imaging Network System (WINS) user accounts,           one hundred percent (100%) of WINS user\n         as required by the DHS 4300A Sensitive Systems                  accounts and their associated privileges that are\n         Handbook and required by the DHS Chief Information              greater than read-only. The updated procedures\n         Officer.                                                        should include steps to verify that: a) all\n                                                                         terminated individuals no longer have active\n                                                                         accounts, b) inactive accounts are locked, and c)\n                                                                         privileges associated with each individual/role are\n                                                                         still authorized and necessary for that job function.\nCG-IT\xc2\xad   Weaknesses continued to exist over the script configuration     Continue making improvements to implement and                     X          3\n09-31    management process. Specifically, weaknesses were noted         better document an integrated script configuration\n         in the areas of approvals, testing, monitoring, maintaining     management process that includes enforced\n         documentation, and audit logging.                               responsibilities of all participants in the process,\n                                                                         and the continued development of documentation\n             \xef\xbf\xbd    Coast Guard lacks a formal process to distinguish      requirements. We recommend that the Coast\n                  between the module lead approvers for script           Guard should:\n                  approval requests.\n             \xef\xbf\xbd    Coast Guard Finance Center (FINCEN) analysts           \xef\xbf\xbd   Continue to design, document, implement, and\n                  may run scripts without seeking approval from the          enforce the effectiveness of internal controls\n                  Functional Supervisors for approved recurring              associated with the active (current and future)\n\n                                                                        15\n\n                 Information Technology Management Letter for the United States Coast Guard Component\n                                         of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                 Appendix B\n\n                                            Department of Homeland Security\n \n\n                                               United States Coast Guard\n \n\n                                        Information Technology Management Letter\n                                                   September 30, 2009\n\n                                                                                                                         New     Repeat   Severity\nNFR #                       Condition                                               Recommendation\n                                                                                                                         Issue    Issue    Rating\n            scripts.                                                    scripts.\n        \xef\xbf\xbd   Testing requirements are inconsistently followed        With respect to procedures already in place, Coast\n            for the testing of the Recurring Approval scripts       Guard should:\n            and retaining evidence of testing.\n        \xef\xbf\xbd   No reconciliation between the scripts run and the       \xef\xbf\xbd   Update / Develop procedures and implement\n            changes made to the database tables is being                technical controls in the Core Accounting\n            performed to monitor the script activities using            System (CAS) and Financial Procurement\n            this report as it is too difficult to accurately and        Desktop (FPD) databases to ensure that the\n            effectively reconcile the scripts to the audit log          appropriate monitoring and review of script\n            table changes.                                              activities is performed and documented.\n        \xef\xbf\xbd   The Script Tracking System does not consistently\n                                                                    \xef\xbf\xbd   Continue to update script policies and\n            include all testing, approval, and implementation\n                                                                        procedures to include clear requirements and\n            documentation for all scripts.\n                                                                        more detailed guidance over requesting\n        \xef\xbf\xbd   Variations in the way the Production Review                 recurring scripts, testing and documentation\n            Process (PRP) Approval Forms are populated and              requirements, monitoring/audit log reviews,\n            completed exist for fields such as financial impact,        and blanket approval requirements.\n            test strategy and baseline determinations.                  Additionally, ensure that the policies and\n                                                                        procedures include detailed guidance over the\n        \xef\xbf\xbd   Proper approval is not consistently obtained and            requirements for the testing of scripts and\n            documented prior to the running of each script.             associated test plans to ensure that the\n                                                                        appropriate financial impact of the script is\n                                                                        evaluated, reviewed by the appropriate\n                                                                        personnel, tested in an appropriate test\n                                                                        environment prior to being put into\n                                                                        production, and documented prior to\n                                                                        execution.\n\n                                                                    \xef\xbf\xbd   Further develop and implement policies and\n\n\n                                                                   16\n\n            Information Technology Management Letter for the United States Coast Guard Component\n                                    of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                           Appendix B\n\n                                                   Department of Homeland Security\n \n\n                                                      United States Coast Guard\n \n\n                                               Information Technology Management Letter\n                                                          September 30, 2009\n\n                                                                                                                                   New     Repeat   Severity\nNFR #                              Condition                                                Recommendation\n                                                                                                                                   Issue    Issue    Rating\n                                                                                procedures governing the script change control\n                                                                                process to ensure that all script records within\n                                                                                the Change Management Script System are\n                                                                                accurate and complete.\n\nCG-IT\xc2\xad   Coast Guard has not created specific procedures to address         Develop and finalize specific procedures over the                X          2\n09-32    how monthly contractor reports will be analyzed and does           review of the Contractor Verification System\n         not maintain supporting evidence associated with this              reports and reconciliation of contractor accounts to\n         review.                                                            ensure that contractor data within the system\n                                                                            remains current and accurate.\nCG-IT\xc2\xad   During our FY 2009 follow-up test work, we determined              \xef\xbf\xbd Develop and document an enterprise-wide                        X          2\n09-33    that Coast Guard is currently finalizing the business process          process that will notify all impacted system\n         that will be used to remediate the conditions identified in            owners of terminated, transferred, or retired\n         the prior year NFR. Once a business process has been                   contractor, military, and civilian personnel;\n         finalized, a technical implementation will occur. Currently,           and\n         Coast Guard HQ plans to use the Direct Access Human\n                                                                            \xef\xbf\xbd   Develop and finalize entity management\n         Resources (HR) system to notify system owners of HR\n                                                                                policies and procedures for verifying that\n         status changes for all individuals within the system. This\n                                                                                terminated user accounts have been\n         would include terminations. Direct Access is currently\n                                                                                successfully removed.\n         undergoing a phased upgrade from PeopleSoft 8.0 to\n         PeopleSoft 9.0. Coast Guard informed us that while the\n         functionality required is not included in the 8.0 version, it\n         should be included in the 9.0 version. At this time, where\n         this functionality fits into that upgrade schedule, has not yet\n         been determined.\n\n         In addition, Coast Guard has created a service request to\n         track its remediation efforts and has identified the\n         termination process currently conducted at Coast Guard\xe2\x80\x99s\n         Personnel and Pay Center (PPC) as a potential solution. At\n         PPC, a report is run within Direct Access whenever an\n\n                                                                           17\n\n                  Information Technology Management Letter for the United States Coast Guard Component\n                                          of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                      Appendix B\n\n                                                  Department of Homeland Security\n \n\n                                                     United States Coast Guard\n \n\n                                              Information Technology Management Letter\n                                                         September 30, 2009\n\n                                                                                                                              New     Repeat   Severity\nNFR #                             Condition                                             Recommendation\n                                                                                                                              Issue    Issue    Rating\n         individual separates, retires, or transfers which\n         automatically removes system permissions. However, this\n         process currently excludes contractors and civilians whose\n         information is not currently in Direct Access.\n\nCG-IT\xc2\xad   Not all WINS change requests were appropriately reviewed        \xef\xbf\xbd   Consistently enforce the newly implemented                 X          1\n09-34    and approved by management prior to development and/or              PRP process to ensure that all change requests\n         prior to implementation. In addition, 1 of the 25 WINS              are properly reviewed and approved prior to\n         changes selected was identified as having a financial impact        development and again prior to\n         consideration to the Coast Guard Financial Statements and,          implementation.\n         as such, the appropriate Financial Representative approval\n         was not obtained prior to implementation. We further noted      \xef\xbf\xbd   Periodically verify FINCEN compliance with\n         that the criterion set forth in the Coast Guard Finance             its PRP and related approval and CM\n         Center Financial Statement Impact Consideration Memo                processes.\n         does not provide sufficient detail to assist in making a\n         determination regarding the financial impact of a proposed\n                                                                         \xef\xbf\xbd   Formally document detailed decision criteria\n         change.\n                                                                             to be used when determining if a change has a\n                                                                             financial impact.\n\n\nCG-IT\xc2\xad   During our FY 2009 follow up, we determined that Coast          \xef\xbf\xbd   Perform the initial background investigations              X          2\n09-40    Guard actively monitors all civilians to verify whether they        for civilian employees in accordance with the\n         have a valid background investigation on record. We                 DHS directives over position sensitivity\n         received documentation from Coast Guard that identified             designations; and\n         94 individuals with an outstanding investigation. This\n         number has been reduced significantly from the                  \xef\xbf\xbd   Conduct civilian background re-investigations\n         approximately 350 individuals identified in FY 2008.                as required by DHS directives, to ensure that\n                                                                             each civilian employee has a favorably\n         Coast Guard continues vetting individuals based on the              adjudicated, valid, and required background\n         Office of Personnel Management (OPM) requirements                   investigation.\n\n\n                                                                        18\n\n                 Information Technology Management Letter for the United States Coast Guard Component\n                                         of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                  Appendix B\n\n                                                  Department of Homeland Security\n \n\n                                                     United States Coast Guard\n \n\n                                              Information Technology Management Letter\n                                                         September 30, 2009\n\n                                                                                                                          New     Repeat   Severity\nNFR #                             Condition                                             Recommendation\n                                                                                                                          Issue    Issue    Rating\n         which require a National Agency Check and Inquiries\n         (NACI) investigation for those position designations with\n         the lowest risk. A NACI consists of written inquiries and\n         searches of records covering specific areas of a person\'s\n         background during the past five years including current and\n         past employers, schools attended, references, and local law\n         enforcement authorities.\n\n         However, all DHS government positions that use, develop,\n         operate, or maintain IT systems are considered at least\n         moderate risk (not low), and per DHS, 4300A requirements,\n         a Minimum Background Investigation (MBI) is the\n         minimum standard of investigation. The MBI consists of\n         the NACI as well as a credit record search, face-to-face\n         personal interview between the investigator and the subject,\n         and telephone inquiries to selected employers. Therefore,\n         Coast Guard is not in compliance with these DHS\n         requirements.\n\n         In addition, Coast Guard does not complete background re\xc2\xad\n         investigations due to the lack of the requirement under\n         current OPM guidance for low risk positions even though\n         re-investigations must be completed every 10 years for\n         moderate risk positions per DHS Management Directive\n         (MD) 11050.2, Personnel Security and Suitability Program.\n\nCG-IT\xc2\xad   As a result of our audit test work and supported by all the     \xef\xbf\xbd   Continue to implement and improve upon                 X          3\n09-42    IT NFRs issued during the current year, we determined               the monitoring of compliance with DHS,\n         that Coast Guard is non-compliant with the Federal                  Coast Guard, and Federal security policies\n         Financial Management Improvement Act (FFMIA) and                    and procedures in the areas of the script\n         we believe that Coast Guard has not fully addressed the             configuration management controls.\n\n                                                                        19\n\n                 Information Technology Management Letter for the United States Coast Guard Component\n                                         of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                       Appendix B\n\n                                                 Department of Homeland Security\n \n\n                                                    United States Coast Guard\n \n\n                                             Information Technology Management Letter\n                                                        September 30, 2009\n\n                                                                                                                               New     Repeat   Severity\nNFR #                            Condition                                               Recommendation\n                                                                                                                               Issue    Issue    Rating\n         recommendations in NFR CG-IT-08-42.\n                                                                         \xef\xbf\xbd   Develop and implement corrective action\n                                                                             plans to address and remediate the NFRs\n                                                                             issued during the FY 2009 audit. These\n                                                                             corrective action plans should be developed\n                                                                             from the perspective of the identified root\n                                                                             cause of the weakness both within the\n                                                                             individual NFR and across related NFRs.\n                                                                             The IT NFRs should not be assessed as\n                                                                             individual issues to fix, but instead, should\n                                                                             be assessed collectively based upon the\n                                                                             control area where the weakness was\n                                                                             identified. This approach enables corrective\n                                                                             action that is more holistic in nature, thereby\n                                                                             leading to a more efficient and effective\n                                                                             processes of addressing/fixing the controls\n                                                                             that are not operating effectively.\n\nCG-IT\xc2\xad   Coast Guard procedures do not include a review of all UMS       Modify procedures to require an annual reviewXof                           2\n09-43    user accounts, as required by DHS 4300A Sensitive               one hundred percent (100%) of UMS user\n         Systems Handbook and required by the DHS-CIO. A full            accounts and their associated privileges that are\n         100% review of accounts that exceed \xe2\x80\x98read-only\xe2\x80\x99 access          greater than read-only. The updated procedures\n         would ensure that all terminated individuals no longer have     should include steps to verify that all terminated\n         active accounts, that inactive accounts are locked, and that    individuals no longer have active accounts, that\n         privileges associated with all UMS users are authorized and     inactive accounts are locked and that privileges\n         necessary.                                                      associated with each individuals are still\n                                                                         authorized and necessary.\nCG-IT\xc2\xad   Access was not authorized for two of the 15 individuals we      Include the badge software database during the         X                   1\n09-45    tested who possessed badges allowing FINCEN data center         data center access review process to ensure that no\n         access.                                                         unauthorized individuals have badges that would\n                                                                         allow them access to the FINCEN data center.\n\n                                                                        20\n\n                 Information Technology Management Letter for the United States Coast Guard Component\n                                         of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                       Appendix B\n\n                                                  Department of Homeland Security\n \n\n                                                     United States Coast Guard\n \n\n                                              Information Technology Management Letter\n                                                         September 30, 2009\n\n                                                                                                                               New     Repeat   Severity\nNFR #                             Condition                                              Recommendation\n                                                                                                                               Issue    Issue    Rating\nCG-IT\xc2\xad   During our testing, we determined that all previous year        Implement the corrective actions for the                X                 1\n09-46    conditions listed in NFRs CG-IT-08-36 and CG-IT-08-37           recommendations listed within the NFR.\n         were properly remediated by Coast Guard. As part of this\n         year\xe2\x80\x99s testing, we identified nine security configuration\n         management weaknesses (i.e., missing security patches\n         and/or incorrect configuration settings) on hosts supporting\n         CAS and FPD.\n\nCG-IT\xc2\xad   Direct Access passwords do not require a special character,     Through our test work, we determined that the          X                   1\n09-47    which is a requirement set forth within DHS 4300A               control weakness was remediated prior to the\n         Sensitive Systems Policy Directive.                             fiscal year-end; therefore, no recommendation is\n                                                                         required for this NFR.\nCG-IT\xc2\xad   Global Pay accounts are configured to expire after five (5)     Through our test work, we determined that the          X                   1\n09-48    invalid login attempts, rather than three (3), which is a       control weaknesses were remediated prior to the\n         requirement set forth within DHS 4300A Sensitive Systems        fiscal year-end, therefore, no recommendation is\n         Policy.                                                         required for this NFR.\n\nCG-IT\xc2\xad   The quarterly JUMPS audit log review addresses unusual          Review audit logs containing unusual activity and      X                   1\n09-49    activity or unexplained access attempts which DHS 4300A         unexplained access attempts on an at least monthly\n         Sensitive Systems Policy Directive requires to be done on a     basis to meet the requirements set forth in DHS\n         monthly basis.                                                  4300A, perform the necessary follow up on any\n                                                                         incidents identified and maintain sufficient\n                                                                         evidence of the audit log reviews, and include\n                                                                         copies of audit logs in hard copy or electronic\n                                                                         form and evidence that the review of the audit logs\n                                                                         was conducted.\nCG-IT\xc2\xad   Not all Direct Access failed logon attempts are logged or       \xef\xbf\xbd Identify the Direct Access application               X                   1\n09-50    reviewed; and account management audit logs for the                 security-oriented audit logs that should be\n         Direct Access application are not reviewed on a monthly             reviewed and then have the application system\n         basis, which is a requirement set forth within the DHS              administrators review those Direct Access\n                                                                             application security logs on at least a monthly\n\n                                                                        21\n\n                 Information Technology Management Letter for the United States Coast Guard Component\n                                         of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                       Appendix B\n\n                                                   Department of Homeland Security\n \n\n                                                      United States Coast Guard\n \n\n                                               Information Technology Management Letter\n                                                          September 30, 2009\n\n                                                                                                                               New     Repeat   Severity\nNFR #                             Condition                                             Recommendation\n                                                                                                                               Issue    Issue    Rating\n         Sensitive Systems Policy Directive.                                basis, in accordance with DHS Policy.\n\n                                                                        \xef\xbf\xbd   Additionally, we recommend that the Coast\n                                                                            Guard upgrade to a more current version of\n                                                                            PeopleSoft and Oracle so that it uses a vendor\n                                                                            supported product with more robust security\n                                                                            controls and so that accountability may be\n                                                                            established to document changes to security\n                                                                            settings and user profiles.\nCG-IT\xc2\xad   Only the last modification to the user account is              Review role change logs on at least a monthly           X                   1\n09-51    documented by the COTS PeopleSoft application software,        basis, in compliance with DHS Policy.\n         making it difficult to establish accountability for role\n         changes within the Global Pay application.\n\n         Additionally, role changes for the Global Pay Application\n         are not reviewed on a monthly basis, which is a requirement\n         set forth within DHS Policy.\n\nCG-IT\xc2\xad   100% of Direct Access user accounts with greater than          Modify procedures to require an annual review of        X                   2\n09-52    read-only access are not reviewed annually to verify that      one hundred percent (100%) of Direct Access user\n         access remains appropriate, per the DHS 4300A Sensitive        accounts and their associated privileges that are\n         Systems Handbook and required by the DHS-CIO.                  greater than read-only. The updated procedures\n                                                                        should include steps to verify that all terminated\n                                                                        individuals no longer have active accounts, that\n                                                                        inactive accounts are locked and that privileges\n                                                                        associated with each individual are still authorized\n                                                                        and necessary.\nCG-IT\xc2\xad   During our after hours physical testing, we identified 11      \xef\xbf\xbd Review its policies and procedures regarding          X                   1\n09-53    passwords, 2 unsecured laptops, 2 credit cards, and 4              Protection of Sensitive Information and update\n         Common Access Cards (CAC).                                         where required in order to address DHS and\n                                                                            other Federal requirements, with emphasis\n\n                                                                       22\n\n                 Information Technology Management Letter for the United States Coast Guard Component\n                                         of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                               Appendix B\n\n                                                Department of Homeland Security\n \n\n                                                   United States Coast Guard\n \n\n                                            Information Technology Management Letter\n                                                       September 30, 2009\n\n                                                                                                                       New     Repeat   Severity\nNFR #                           Condition                                          Recommendation\n                                                                                                                       Issue    Issue    Rating\n        During our social engineering testing, we were provided        being placed on the potential impacts of not\n        with one password.                                             consistently and adequately protecting this\n                                                                       sensitive information.\n                                                                   \xef\xbf\xbd   Review, and update as required, its security\n                                                                       awareness/training content to address the\n                                                                       updated Protection of Sensitive Information\n                                                                       policies and procedures.\n                                                                   \xef\xbf\xbd   Validate the effectiveness of the updated\n                                                                       policies and procedures and associated\n                                                                       training through mechanisms such as\n                                                                       scheduled and unscheduled desk/floor\n                                                                       reviews, awareness training testing, etc. and\n                                                                       take appropriate corrective action to address\n                                                                       any issued identified during this validation.\n\n\n\n\n                                                                  23\n\n                Information Technology Management Letter for the United States Coast Guard Component\n                                        of the FY 2009 DHS Integrated Audit\n\x0c                                                                               Appendix C\n\n                           Department of Homeland Security\n \n\n                              United States Coast Guard\n \n\n                       Information Technology Management Letter\n                                  September 30, 2009\n\n\n\n\n                                    Appendix C \n\n\nStatus of Prior Year Notices of Findings and Recommendations and \n\n                          Comparison to \n\nCurrent Year Notices of Findings and Recommendations at Coast \n\n                            Guard\n \n\n\n\n\n\n                                           24\n\n  Information Technology Management Letter for the United States Coast Guard Component\n                          of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                        Appendix C\n\n                                   Department of Homeland Security\n \n\n                                      United States Coast Guard\n \n\n                               Information Technology Management Letter\n                                          September 30, 2009\n\n                                                                                                     Disposition\nCoast Guard NFR #                                Description                                   Closed       Repeat\n Component\nFINCEN     08-01      The Coast Guard Finance Center (FINCEN) Continuity of Operations           X\n                      Plan (COOP) has not been updated to reflect the results of testing the\n                      COOP, and the Business Continuity Plans for each division have not\n                      been finalized.\n\nFINCEN      08-06     During the first half of the fiscal year, the contract with the Core       X\n                      Accounting System (CAS) and Financial Procurement Desktop\n                      (FPD) software vendor was still in place, and no corrective action\n                      had taken place related to the prior year recommendation. Therefore,\n                      the risk exists that the condition was present for the majority of the\n                      fiscal year (October 1, 2007 through April 1, 2008). However, due to\n                      the Coast Guard decision to terminate the contract with their software\n                      vendor and the Coast Guard Headquarters decision to suspend all\n                      Software Problem Reports (SPRs) and Software Change Requests\n                      (SCRs), the condition did not exist beyond the date of these 2 events.\n\nPPC         08-07     We determined that Coast Guard\xe2\x80\x99s Pay and Personnel Center (PPC)            X\n                      has not implemented the following password requirements:\n                       \xef\xbf\xbd Passwords shall contain special characters\n                       \xef\xbf\xbd Passwords shall not contain any dictionary word\n                       \xef\xbf\xbd Passwords shall not contain any proper noun or the name of any\n                         person, pet, child, or fictional character\n                       \xef\xbf\xbd Passwords shall not contain any employee serial number, Social\n                         Security number, birth date, phone number, or any information\n                         that could be readily guessed about the creator of the password\n                       \xef\xbf\xbd Passwords shall not contain any simple pattern of letters or\n                         numbers, such as \xe2\x80\x9cqwerty\xe2\x80\x9d or \xe2\x80\x9cxyz123\xe2\x80\x9d\n                       \xef\xbf\xbd Passwords shall not be any word, noun, or name spelled\n                         backwards or appended with a single digit or with a two-digit\n                         \xe2\x80\x9cyear\xe2\x80\x9d string, such as 98xyz123\n                       \xef\xbf\xbd Passwords shall not be the same as the User ID\n\n                      While compensating controls were implemented to reduce the risk of\n                      unauthorized access, they unto themselves do not remove the\n                      potential risk from occurring.\n\nCG HQ       08-10     Coast Guard Headquarters has developed but not yet implemented                        09-10\n                      policies and procedures to require that a favorably adjudicated\n                      background investigation be completed for all contractor personnel.\n\nCG HQ       08-14     Coast Guard headquarters has not finalized the Role-Based Training                    09-14\n                      for Coast Guard Information Assurance Professionals Commandant\n                      Instruction, which will require all Coast Guard members, employees,\n\n                                                        25\n\n        Information Technology Management Letter for the United States Coast Guard Component\n                                of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                        Appendix C\n\n                                 Department of Homeland Security\n \n\n                                    United States Coast Guard\n \n\n                             Information Technology Management Letter\n                                        September 30, 2009\n\n                                                                                                     Disposition\nCoast Guard NFR #                               Description                                    Closed       Repeat\nComponent\n                    and contractors with significant IT security responsibilities to receive\n                    initial specialized training and annual refresher training thereafter.\n                    The online Training Management Tool, which will track compliance,\n                    will not be implemented until the Role-Based Training is\n                    implemented.\n\nFINCEN    08-17     Although FINCEN has made significant progress in remediation, we             X\n                    were unable to verify that FINCEN is consistently remediating the\n                    vulnerabilities identified by the AppDetective scans in order to make\n                    it an effective mitigating control for the Checkfree application.\n\nOSC       08-23     Policies and procedures have not been developed and implemented                         09-23\n                    for the manual periodic review of SAM audit logs. As a result, SAM\n                    audit logs are not periodically reviewed.\n\nFINCEN    08-25     We determined the following weaknesses associated with the                              09-25\n                    Workflow Imaging Network System (WINS) change controls:\n\n                     \xef\xbf\xbd Procedures have been created and implemented for the quarterly\n                      review of developer and analyst roles. However, the procedures\n                      do not include the review of all other WINS user accounts to\n                      ensure that all terminated individuals no longer have active\n                      accounts, that inactive accounts are locked, and that privileges\n                      associated with each individual are still authorized and necessary.\n                    \xef\xbf\xbd 529 users have unlocked WINS database accounts with access to\n                      the WINS_USER_R role. Therefore, the number of users with the\n                      WINS_USER_R role has increased by 141 users from the 388\n                      users noted during FY 2007. Additionally, a mapping of SQL\n                      flow roles within the WINS application to the tables that can be\n                      updated within the WINS database has not been created.\n                      Therefore, we are unable to perform an analysis of the SQL flow\n                      roles and the associated tables that are affected to determine\n                      whether access is appropriately restricted.\n                    \xef\xbf\xbd The password configurations for the PRODUSER and\n                      SECURE_LOGON profiles will not be updated to be in\n                      compliance with DHS guidance until after the 10G Release 2\n                      (10gR2) Oracle database upgrade. Since no improvements have\n                      been made in regards to the WINS password configuration, we\n                      determined that the password configurations continue to not meet\n                      the following DHS requirement of having a user password contain\n                      at least one special character.\n\nOSC       08-27     We noted that Coast Guard was unable to provide sufficient evidence          X\n                    of the following:\n\n                                                        26\n\n      Information Technology Management Letter for the United States Coast Guard Component\n                              of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                        Appendix C\n\n                                   Department of Homeland Security\n \n\n                                      United States Coast Guard\n \n\n                               Information Technology Management Letter\n                                          September 30, 2009\n\n                                                                                                   Disposition\nCoast Guard NFR #                                 Description                                  Closed     Repeat\nComponent\n                      \xef\xbf\xbd SAM access request forms are documented and approved;\n                      \xef\xbf\xbd SAM user accounts are revalidated annually; and\n                      \xef\xbf\xbd SAM access is revoked in a timely manner for employees or\n                         contractors that have left Coast Guard or are reassigned to other\n                         duties.\n\nFINCEN      08-31     Coast Guard\xe2\x80\x99s controls over the scripting process remain ineffective.                09-31\n                      Weaknesses were noted in controls over script implementation,\n                      approvals and testing, as well as active script modification. In\n                      addition, Coast Guard has not maintained or developed a population\n                      of scripts run since the inception of CAS in 2003 nor has it performed\n                      a historical analysis of script impact on the cumulative balances in\n                      permanent accounts of the financial statements. Specifically:\n                      \xef\xbf\xbd Coast Guard lacks a formal process to distinguish between the\n                         module lead approvers for script approval requests;\n                      \xef\xbf\xbd The Procedures for Data Scripts do not specifically state the\n                         testing and documentation requirements for blanket approval\n                         scripts and this policy remains in draft form;\n                      \xef\xbf\xbd Coast Guard does not monitor scripts run in the database through\n                         audit logging and has not developed a technical solution to\n                         monitor who accesses the database through SQL Navigator to run\n                         scripts or review what scripts are run;\n                      \xef\xbf\xbd The Script Tracking System does not consistently include all\n                         testing, approval, and implementation documentation for all\n                         scripts; and,\n                      \xef\xbf\xbd Coast Guard has not completed PRP documentation for all scripts\n                         executed since their implementation.\nCG HQ       08-32     Although Coast Guard Headquarters has mandated the use of                            09-32\n                      Contractor Verification System (CVS) to maintain and track\n                      contracted personnel data, procedures surrounding this process have\n                      not been formally documented. As a result, we were unable to\n                      determine the effectiveness of the controls in place for contractor\n                      tracking.\n\nCG HQ       08-33     Coast Guard does not consistently notify system owners that                          09-33\n                      individuals are terminating from the Coast Guard so that system\n                      accounts can be updated timely.\n\nFINCEN      08-34     All WINS SCRs are not being appropriately reviewed and approved                      09-34\n                      by management prior to development/deployment. In addition,\n                      WINS developers and testers are not updating information in the\n\n\n                                                         27\n\n        Information Technology Management Letter for the United States Coast Guard Component\n                                of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                         Appendix C\n\n                                   Department of Homeland Security\n \n\n                                      United States Coast Guard\n \n\n                               Information Technology Management Letter\n                                          September 30, 2009\n\n                                                                                                      Disposition\nCoast Guard NFR #                                 Description                                   Closed       Repeat\nComponent\n                      PVCS tool in a timely manner.\n\nFINCEN      08-35     We noted that control weaknesses still exist within the design of           X\n                      FINCEN\xe2\x80\x99s Configuration Management policies and procedures for\n                      CAS and FPD, as well as the operating effectiveness of those\n                      controls. Our test work over the design of the change controls\n                      covered both periods of the change control environment; however,\n                      our testing of operating effectiveness covered only the period of start\n                      of the fiscal year through March 2008, since no changes were made\n                      to CAS and FPD from April through the remainder of the fiscal year.\n\nFINCEN      08-36     Configuration management weaknesses continue to exist on hosts              X\n                      supporting the CAS, FPD and WINS applications and the underlying\n                      General Support Systems (GSS).\n\n                      Note: Due to the nature of this testing, see the tables in the NFR for\n                      the specific conditions.\n\nFINCEN      08-37     Security patch management weaknesses continue to exist on hosts             X\n                      supporting the CAS, FPD and WINS applications and GSS.\n\n                      Note: Due to the nature of this testing, see the tables in the NFR for\n                      the specific conditions.\n\nCG HQ       08-40     Although Coast Guard Headquarters is in the process of completing                      09-40\n                      background investigations for all civilian employees, this has not\n                      been completed. Additionally, Coast Guard has set its position\n                      sensitivity designations to Low for the majority of its employees.\n                      However, DHS requires position sensitivity designations no less than\n                      Moderate which equates to a Minimum Background Investigation\n                      (MBI). Therefore, we determined that the conditions noted in prior\n                      year NFR CG-IT-07-40 have not been remediated.\n\nFINCEN      08-41     FINCEN has not completed the risk assessment for the CAS Suite,             X\n                      and the CAS System Security Plan (SSP) is still in draft form.\n\nCG HQ       08-42     During prior financial statement audits dating back to FY 2003, we                     09-42\n                      noted that implementation and oversight of the Coast Guard\xe2\x80\x99s\n                      information security policy and procedures was fragmented among\n                      the organizations responsible for operating various\n                      applications/systems. In FY 2008, significant improvements have\n                      been made in some areas; however, improvements are still warranted\n                      at the Coast Guard data centers/locations that operate and process key\n                      Coast Guard financial information. Improvements are needed\n\n\n                                                         28\n\n        Information Technology Management Letter for the United States Coast Guard Component\n                                of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                        Appendix C\n\n                                 Department of Homeland Security\n \n\n                                    United States Coast Guard\n \n\n                             Information Technology Management Letter\n                                        September 30, 2009\n\n                                                                                                   Disposition\nCoast Guard NFR #                               Description                                    Closed     Repeat\nComponent\n                    especially in the areas of change control and to a lesser extent, access\n                    to data and programs. These two key areas were the subject of\n                    significant findings identified and recommendations that were made\n                    during the audit.\n\n                    As a result of our audit test work and supported by all the IT NFRs\n                    issued during the current year, we determined that Coast Guard is\n                    non-compliant with the Federal Financial Management Improvement\n                    Act.\n\nFINCEN    08-43     During our testwork over CAS and FPD access accounts, we noted                         09-43\n                    that controls over user account authorizations and controls over user\n                    account reviews were not operating effectively.\n\n\n\n\n                                                       29\n\n      Information Technology Management Letter for the United States Coast Guard Component\n                              of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                Appendix D\n                                Department of Homeland Security \n\n                                   United States Coast Guard \n\n                            Information Technology Management Letter\n                                       September 30, 2009\n\n\n\n                                                                             >I" \'""""\' ....... ~... ,,,.,,\'"\n                                                                             _\'_\'G-<\n                                                                             _ _ DC""" ""\n\n\n                                                                             ...\n                                                                             _,,","\'H"\'"\n                                                                                "......\n                                                                             ,~""".,~"\',.\n                                                                                           ~-~          ...\n                                                                              R\xc2\xa3llll\'\'\'\'   <-~I\n                                                                             Aoln of: Midmd. M>.!Siao\n                                                                                           (202).\'l-)6l7\n     To:     Mr.r-...... D<fI..\n             .\'\\ssG:Inl1"\'f"\'<"" G\xc2\xab><tol, hlfomuh"" T""""""g- A",,",\n             U.S J:/q>uIIIl<L~ ofllou>clu       "\n\n\n\n\n     L 1n "\'f\'O"IlO \xe2\x80\xa2\xe2\x80\xa2"o[<m>=(~), \'honl<    )O\'~   l<J.- \'"" DHS. otr"" oftb;; lD.,peclor GaHn!\', (OlG)\n     """""lll\' in<\'l""\'\'\'\'\'\'l ,,,;..... ,,[<11< ~ h>l1JmI"Ii"" l\'<dv1ok\'l:)\' (If) <=!rob ~\n     _   the usoc ",=""..1"""",,"n~ ~t, rl\' iefuu<n>c:turc 0l>Il "":,,,11 ~ progam.\n\n\n\n\n     -"\n     Th\' l"\'"--\' <mn hi"",l ...\'rIll dkr wOKti>-.: KlivitK:>, Iu:IpJ 1Ir L;sa; imj:<o-.\'c ... n" >ecurily\n\n\n     2. 1\'11< OIG ido>ntifiod _ _ u... ilO.... ..--" ~n<linr;;o <hot "\'l"i.., ~" :u:tioo., by tbc\n     USCG, n.. U = """""" ,..llh th< boy" fll< the 00Ilditi0J<n..-..l fin<lin&s that ...-modo<u1><.LI""\'-\n     no <h<: FYO\'l IT Not>x of \xc2\xa5iD:Ii.nV ~ Jl<oJrnmm:latioJlS (NFfu) _ =nt:nri><d -..i<hin th< IT\n     M.1m_          Loll". Spcmk d.t>ilo of _           t~ ~nd 110m 1\'"\',,,t;.1 imJ-D, will be\n     dilomcd <ally ia \'i>< fYlOa,d;t d.",\'ll d., pri,,, ,....... """",. Jl<\'"-""\'I.\n\n     J. Th\' llS(r, _~nW tho "\':cd \'" _oou,j.,\' irnpm", Il\' IeIUily "I"\'\'\'\'liom aDd 1m\n     danoll>1mcd!hi> ,omldlml:nl bj; p"""\'li\\\'oIy .... i"l\\ ....,.. \'" i,\'\xc2\xa5U"" """""" ~ g lll.\n     _I" pt\'\'\'\'\'"\'\'- l<l _l:i\'~ _ ""fI<""""""",       \'~rin&FVQ9, tt>c USCG procuw:l tbl\'" "","\'ieCl of\n     on im\\~<Ullr",""\'" n:>ic",,\' inlcmol oontr,,[\' ...... tho \\)\'\xc2\xa36 sail" proc"~ 1                   ,ero:"\n     ofthot review iAdic.oo .wfoci". COll\'fl"ll\'Olitlg <.."t",b """" i,. l~_\'" ;""\'i r;,. !<n>\' .....\n     ..."b=> \'"<DBI lh\' big\xc2\xbb n<l: ""in! cItdn_~ ."ignrd.u;"g!h. """"" Qf (}.., -\'it. U\\.C0\n     _      \'y\xc2\xab"wi\'" "\'"  010>,......-.11 ~ti<J"" ODd i>"""tinui.. \'" iruV"""~ ibaaijltinJ:\n                  !,\n     1"\'.,.,]."-"\'\'- pout Q[ Lhi> improvcrn<:l1 _.\'os tIr dq>~lt of. JD<>fO mOO" =\'l"\n     ~-m\'\'\'\'\'lool\n\n     4. Du<irJi "\'" """"" M ""\'audit, tho 11\'\xc2\xab:("; """,I",.... ~ .m(~ "hoot ""\'lie .".))\'1ClI ,,,"\n     doUnninod "\'" """l \' P ~ m<lh>cl(.) fur oddr.".;q iJenli[\'Od - . m . " , " , ba>ed ~POll\n\n\n\n\n                                                          30\n \n\n\nInformation Technology Management Letter for the United States Coast Guard Component\n                        of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                         Appendix D\n                               Department of Homeland Security \n\n                                  United States Coast Guard \n\n                           Information Technology Management Letter\n                                      September 30, 2009\n\n\n\n     Somj: RESI\'OI>SJ\' TO 1NfORM-<\\.TION THllNOL<XiY\n     \\lASAC,rMBH ~!\'ORTtI\\;~, S, CUJlSl\'GUARD\n     co."ll\'OI\\ENT OFTH.: HSCAI, Y~.o\\K 2009 DHS\n     N1T\xc2\xa3;RATFD AUfllT\n\n\n     """"\'" c"PobiHt;"\'..,.j ,cwuroos- Thi. ~roo= led dl< L\'sce; \'" ",,,,,tiO"  ..,,,,,.11molit\n     """"""OBlationsrdlttd to kilo ri.~ ilnpoet i__ The L\'SCG 00I,tinue< ttl i",?I<oon,.,wl\n     """",,,0 oom:cm-c 0<1","" 10 -=    t>e l-..:lorl}idl; ""wli\'\'\'\'\'\'\':mol ~M\'"gs ro mitil;o-t< _:mol\n     imprnl\'O ~I!. \'1\'1>o>c co=<tm: ..,.""\'" ih,> r ..... or     ""\'ion_\n                                                                      MH_(l\'OA&\\l\')l _\n     _      PC<!, IIJOOlinn:d, md rc;ooR>l m n" IJH1> l\'ru*~ AiPK Fl\'SMA (T AF) fOOl.\n     5. ""\'" m.;,",ynflhc l,~Cl) \'J"lI<rn-<Jricnlcd rf \'lfK> weremiliplod "\'~ __ i""\'-mlla!\n     ~!he ",,"il \'"     -t.- .,ilJlio FYUl   Thc r<>nainina low KIll mod","< risk <nI<rpi1o-wi<k I\n     _ Y 1"\\\' grnm IT \'<I\'ll> ""IWn> "",h;-)\'CY _         l>Cc<:,wratq ooordiuoOOo bo:twc"" U SC l j\n     ....I nH~ Hc"",-""" _ "",1 ~l ""lub:c _              """0"\'\'\'\'\' lbOOll<t.oo .1aII) ...... li,\n\n     6. The mO!.l>al1DDI ond <on~\'o 01\'\\l\xc2\xabIO<II of th. 1>01 """ }~"" "\'" ioq>:ov\xc2\xab! _a1\n     Jnfi>nnori"" TOdIIOoIo~ OOtllroll. l\'he U,CG look> 1io<..-.:trd 10 ... 0<1:;"8 _     I!l< DHS OlU\n     <lmiq toc FY:O <Old;t. whot< ... ",.ici""",     "",lim,,"""  or \'\'\'\'\' "\'...o<ti.e >o:<i<K, ~\n     oh:lrou:h ~ "\'"iilll. r=WlL\n\n                                                     \xe2\x80\xa2\n     Copy:    CG_6\n              CG.(,j\n              CG_S\n              CG_M\n\n\n\n\n                                                     ,\n                                                         31\n \n\n\nInformation Technology Management Letter for the United States Coast Guard Component\n                        of the FY 2009 DHS Integrated Audit\n\x0c                                                                             Appendix E\n                         Department of Homeland Security\n \n\n                            United States Coast Guard\n \n\n                     Information Technology Management Letter\n                                September 30, 2009\n\n               Report Distribution\n\n               Department of Homeland Security\n\n               Secretary\n               Deputy Secretary\n               General Counsel\n               Chief of Staff\n               Deputy Chief of Staff\n               Executive Secretariat\n               Under Secretary, Management\n               Commandant, USCG\n               DHS Chief Information Officer\n               DHS Chief Financial Officer\n               Chief Financial Officer, USCG\n               Chief Information Officer, USCG\n               Chief Information Security Officer\n               Assistant Secretary for Policy\n               Assistant Secretary for Public Affairs\n               Assistant Secretary for Office of Legislative Affairs\n               DHS GAO OIG Audit Liaison\n               Chief Information Officer, Audit Liaison\n               USCG Audit Liaison\n\n               Office of Management and Budget\n\n               Chief, Homeland Security Branch\n               DHS OIG Budget Examiner\n\n               Congress\n\n               Congressional Oversight and Appropriations Committees as Appropriate\n\n\n\n\n                                          32\n \n\n\nInformation Technology Management Letter for the United States Coast Guard Component\n                        of the FY 2009 DHS Integrated Audit\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'